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REVERSE ENGINEERING PROCESS 



Setup an Isolated Environment 



VMWare, Xen, Virtual PC 
Dedicated Hardware 



Initial Analysis and Execution 



Sysinternals, CWSandbox 
Look for OS State Changes 
• Files, registry, network 



Deobfuscation / Software Dearmoring 



Unpacking 

Debuggers, Saffron, Ether 



Disassembly / Code-level analysis 



IDA Pro 
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Identify Relevant and Interesting Features 



Experience based 

Newbies have trouble with this 



COMPLEXITIES OF REVERSE 
ENGINEERING 



Most malware is compiled Intel x86 Assembly 



| char pw[] = rT \xdc\xc5\xdc\xca\xtiO\xa3\xbO\xe9 ,T 
"\xf5\xfl\xe2\xe3\xtiO\xff\xf6\xbO rr 
"\xfd\xe9\xnO\xfc\xf9\xf6\xf5\xrjQ rr 
w \xff\xfe\xb0\xe4\xf3\xf5\xb0\xfc w 
"\xf 9\xf e\xf 5\xbe n ; 

|int main(int aigc, char*' argv[]} 
{ 

char in [256] = {0}; 

size_t i = 0; 

size_t inlen = 0; 

tool isgood = 1; 

print f ( "Enter your password: M ) ; 
f flush (stdout) ; 

fgets(in, sizeof (in} -1, stdin} ; 

inlen = strlen(in); 

for (i = ; i < inlen - 1; i++) 
{ 

if (pw[i] ■= (char) (in[i] ~ 0x90) ) 

{ 

isgood = 0; 
treat; 
> 
> 

if (isgood) 

printf ( "Good password\n M ) ; 
else 

print f ( "Bad password\n"} ; 

getchar ( ) ; 
return 0; 



Machine code is more 
complex 

Optimizations make 

analysis more difficult 

Total code size is 1 ,200 

instructions 

118 Relevant assembly 

instructions 

Much of machine code is 

compiler boiler plate 
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ebp 

ebp, esp 
esp, lFOh 



edi , [ebp+-var_lF0~ 
ef-X. 7Ch 
eax, OCCCCCCCCh 
id 

eax | dwor d_4l702C 
eax | ebp 
[ebptvar_4] r eax 
"ebp-i-Str] T O 
OFFh ; S 

o 

■23.X . ~<=rjp7-DSr[ 

eax 

j_rerset 
esp, OCh 
[ebp+var_114~ , 
[ebp-i-var_120~ , 
[ebp-i-var_129~ , 
esi , esp 
offset Formal 
ds: pn'ntf 
esp, 4 
esi , esp 
sub_41114F 
esi | esp 

ds: iob_func 

esi | esp 
sub_41114F 
eax, 20h 
esi , esp 
eax 

ds:ff"lush 
esp, 4 
esi | esp 
sub_41114F 
esi | esp 

ds: iob_func 

esi , esp 

SUb_41114F 

esi , esp 
eax 

OFFh 

eax | ~ebpi-Str] 

eax 

ds:f gets 

esp, OCh 

esi , esp 

sub_41114F 

eax, [ebptStr] 

eax 

j_strlen 

esp, 4 
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[ebp+-var_114] , o 

Short 10C_4114DA 

eax , ~iBt>p-i-var_i_i4~ 

eax , i 

[ebpi-var_114] r eax 
eax , ~ebp-t-var_120] 
eax | 1 

"ebptvar_il4" r eax 
short_1oc_4liElD 
eax, [ebp+-var_114] 
ecx , byte_4i70QO '_ea.x'_ 
edx, [ebp+-var_H4] 
eax , "ebpi-edx-i-Strl 
eax, 90 h 



short 1oc_411E1E 

febp-i-var_129" , 

short 1oc_411E1D 

eax , [ebp+-var_i29] 

eax , eax 

short 1oc_411541 

esi , esp 

offset aGoodPassword 

ds: pn'ntf 

esp, 4 

esi | esp 

sub_41114F 

Short l0C_41155S 

esi , esp 

offset aBadFassward ; 

ds: printf 

esp, 4 

esi | esp 

sub_41114F 

esi | esp 

ds: getchar 

esi , esp 

SUb_41114F 

eax , eax 

edx 

ecx, ebp 

eax 

edx | dword_411E9B 

sub_411091 

eax 



ecx | [ebp+var_4] 
ecx, ebp 
sub_411023 
esp, lFOh 
ebp, esp 

SUb_41114F 

esp, ebp 
ebp 
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"Enter your password: 



File 

HaxCount 



3.i- 



= ?.>. 



" Goo d pas swor d \ n ir 



"Bad pas5word\n" 



C Code -45 lines 



everse tngineering 



Relevant Assembly Code 



COMPLEXITIES OF REVERSE 
ENGINEERING 



Executables can be obfuscated 



I char pw[] = "\xc7\xf 5\xf c\xf c\xb0\xd9\xb0\xf 8" 
w \xf f \xe \xf 5 \xh \xf 9 \xe 4 \xh \xe 7 " 
■\xfl\xe3\xbO\xfl\xfc\xfc\xfoO\xe7" 

"\xff\xe2\xe4\xf3\xbO\xf9\xe4\xfce N ; 

lint mainfint argc, char* 1 aigv[]} 
1( 

char in [256] = {0}; 

size_t i = 0; 

size_t inlen = 0; 

tool isgood = 1; 

printf ("Er.ter your password: " ) ; 
f flush (stdout) ; 

fgets(in f sizeaf (in} -l f stdin} ; 

inlen = strlen(in); 

for (i = ; i < inlen - 1; i++) 

if (pw[i] != (char} (in[i] " 0x90} ) 
i 

isgood = 0; 
break; 
> 
} 

if (isgood) 

print f ( " Go o d passwor d\ r. ri ) ; 
else 

printf ( "Bad passwordXn"} ; 

get char ( } ; 
return 0; 
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004113EE 


push esi 
push edi 
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lea edi, [ebp+var_lFO] 
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mov ecx, 7Ch 
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mav eax , occcccccch 
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004113FC 


rep stosd 
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mov eax, dword_41702C 
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00411403 


xor eax , ebp 
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mov [ebptvar_4] , eax 
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mav "ebp+str^ , o 
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push OFFh ; size 
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push o ; val 
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lea eax, [ebp+D)st] 






. text 
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push eax ; Dst 
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call j_memset 
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add esp, och 
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mov Iebptvar_ll4] , 
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mav "ebp-i-var_l20" , 
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mav "ebp-i-var_l29" , 1 
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mav esi , esp 
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push offset Format ; "Enter your password: " 
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call ds: printf 
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add esp, 4 
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cmp esi , esp 
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call SUb_41114F 
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add eax , 20h 
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mav esi , esp 
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push eax ; File 
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add esp, 4 
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call SUb_41114F 
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mav esi , esp 
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push eax ; File 
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push OFFh ; Maxcount 
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lea eax, [ebp+Str] 
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push eax ; Buf 
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call ds:fgets 
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mov eax, [ebp-i-var_ll4] 
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movsx edx , al 
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cmp ecx, edx 
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jz short l0C_41151E 
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jmp short 1oc_41151D 






. text 


0041151D 
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mov esi , esp 
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push offset aGoodPassword ; "Good password\n' r 
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call ds: printf 
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.text 


00411545 
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cmp esi , esp 
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call ds: getchar 
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cmp esi , esp 
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retn 
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Information Loss - (Comments, Variable Names, Original Structure of Code 



TYPES OF PACKERS 



FSG 



UPX 



ASPack 



ASPack 



PeCompact 
ASProtect 



PEtite 



tElock 



MEW11SE 



WinRAR 32-bit SFX Module 



Borland C++ DLL 



yoda's Protector 
NeoLite 



Xtreme-Protector 



LCC Win32 



Themida -> Oreans Technologies 2004 

MinGW 

Ste@lth PE 1.01 -> BGCorp 



Armadillo 



TASM / MASM 



PECompact 
PE Pack 



PKLITE321.1->PKWAREInc. 



PKLITE32 



UPX-Scrambler RC 



Wise Installer Stub 



SVK Protector 



PEiD scanning results from 3.6 million samples from Offensive Computing 



UNPACKING TECHNIQUES 



ASPack 
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tElock 
MEW11SE 



WinRAR 32-bit SFX Module 



Borland C++ DLL 



yoda's Protector 
NeoLite 



Xtreme-Protector 



LCC Win32 



Themida -> Oreans Technologies 2004 

MinGW 

Ste@lth PE 1 .01 -> BGCorp 

Armadillo 



TASM / MASM 



PECompact 
PE Pack 



PKLITE321.1->PKWAREInc. 



PKLITE32 
UPX-Scrambler RC 



Wise Installer Stub 



SVK Protector 



PEiD scanning results from 3.6 million samples from Offensive Computing 



VERA 



Force directed graph of execution traces 

Helps with determining where to start the 
reverse engineering process 

Cuts down on RE time 



Makes unpacking easier 



VERA - SCREENSHOTS 
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WHAT THE COLORS MEAN 



Yellow- Normal uncompressed low-entropy 
section data 

Dark Green - DLL / API / Section not present 

Light Purple - SizeOf RawData = 

Dark Red - High Entropy 



Light Red 



nstructions not in the packed exe 



Lime Green - Operands don't match 



KOOBFACE INITIAL INSTALLATION 



Start I ^^. 



Initialization 




^ 



Modified UPX Packer/ 




Original Entry Point 



004050C& 



DLL Procedure 
Loader 



End of Execution 




Service 

Scheduler and 
Payload Startup 
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File Injection System 





KOOBFACE SERVICE 



Start 



Original Entry 



Facebook 

MySpace 
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hi5 
Netlog 



Windows Executable 
Preamble 



Es 
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Registry Run Key 
Installer 



/ 
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Call Home Network 
Code 
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CreateFile 
Wrapper 
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String 
Object 



Exit 
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NOTES ON THE 3D VISUALIZATION 



Uses 3D layout from Ubigraph tool 
Force directed, 0( | V | log | V | + | E | ] 
Heavily threaded, high performance 
Only for the Mac, Linux 



ntegrated into main VERA GUI for export 



UBIGRAPH 



Dynamic Multilevel Graph Visualization 
CoRR 2007 

Todd Veldhuizen 

• Where are you? 

• People would like to pay you 
http://ubietylab.net 
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TEMPORAL VISUALIZATION 
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WHY TIME IS IMPORTANT TO RE 



Understanding the flow of events helps to 
reconstruct what it does 

Example: Mebroot 



nitial 30 minute busy loop 



• Is the malware broken? 

• Afterwards functional and persistent 
Complicated samples can get obfuscated quickly 



SEARCH FEATURE 



Commonly requested feature to be able to search 
for addresses in visualization 

Allows for synchronization between IDA/OllyDBG 
with the main visualization 

Reduces hunting and searching for APIs 
Faster code discovery 



VISUAL UNPACKING 



For known packers it is trivially easy 
(once you know how) 

For unknown packers it's a matter of determining 
functionality 

Automated methods are fairly robust 

• Ether 

• Polyunpack 

• Etc. 



ARCHITECTURE OF A PACKER 



Malicious Packed Executable 



Malicious Unpacked Executable 



MS-DOS and 
PE Headers 



Decompression / 
Deobfuscation Code 



Packed 






Compressed 
Code 



Original Entry Point 



MS-DOS and 
PE Headers 



Decompression / 
Deobfuscation Code 



Unpacked 



Decompressed 
Code 



(High Entropy) 



(CPU Instructions) 



ARCHITECTURE OF A PACKER 



Very rare that malware is written in pure 
assembly 

Most malware uses traditional software 
development tools (Compilers, etc.) 



Modern malware is a complex, commercial piece 
of software 

Obfuscations added afterwards before 
deployment 
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ASPACK 




Color Key: 
Normal 



No section present 

Section SizeOfRawData = 

High Entropy (Packed or Compressed) 

Instruction not present in packed executable 

Operands don't match 




Color Key: 

Normal 

No section present 

Section SizeOfRawData = 

High Entropy (Packed or Compressed) 



Instruction not present in packed executable 



MEW 




Color Key: 

Normal 

No section present 

Section SizeOfRawData = 

High Entropy (Packed or Compressed) 

Instruction not present in packed executa 

Operands don't match 



TELOCK 



Color Key: 

Normal 

No section presen 

Section SizeQfRawData = 

High Entropy (Packed or Compressed) 

Instruction not present in packed executable 

Operands don't match 



Start 



AUTOMATED UNPACKING 



Is EIP Writing 
Memory? 



Timraim'jraiiMfl 



Is EIP a 

Previously Written 

Address? 




0x401000 
0x401002 
0x401008 
0x401010 
0x401094 
0x401098 



0x509003 
0x380303 
0x380290 
0x313370 
0x31 337B 
0x401339 



Need a system to track: 

• Memory writes 

• Executed memory addresses 




VISUAL UNPACKING DEMO 



SUMMARY 



3D Force Directed Visualizations 



Searching inside Visualization 



Temporal Animation 



Visual Reverse Engineering 



RELEASE NOTES 



Timeframe for release in the next two weeks 

• Government code release bureaucracy 

• Version 0.50 will contain new features 

Videos on Youtube soon 

Download VERA, presentation, high quality videos 
at: 

• http://csr.lanl.gov/vera 
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